bazel: use remote caching (#1456)

* bazel: add configuration for remote caching
* ci: enable bazel remote caching for building binaries
* ci: use bazel directly when building go binaries
* ci: enable cache for most build steps
* dev-docs: document remote caching
This commit is contained in:
Malte Poll 2023-03-20 16:05:08 +01:00 committed by GitHub
parent 4f37fe38f9
commit c3c0940adb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
20 changed files with 263 additions and 46 deletions

View File

@ -38,3 +38,12 @@ build:linux_arm64_static --platforms @zig_sdk//libc_aware/platform:linux_arm64_m
# bazel config to explicitly disable stamping (hide version information at build time) # bazel config to explicitly disable stamping (hide version information at build time)
build:nostamp --nostamp --workspace_status_command= build:nostamp --nostamp --workspace_status_command=
# bazel config to use remote cache
build:remote_cache --bes_results_url=https://app.buildbuddy.io/invocation/
build:remote_cache --bes_backend=grpcs://remote.buildbuddy.io
build:remote_cache --remote_cache=grpcs://remote.buildbuddy.io
build:remote_cache --remote_timeout=3600
build:remote_cache --experimental_remote_build_event_upload=minimal
build:remote_cache --experimental_remote_cache_compression
build:remote_cache_readonly --noremote_upload_local_results # Uploads logs & artifacts without writing to cache

View File

@ -4,7 +4,7 @@ description: Build the Constellation bootstrapper binary
inputs: inputs:
outputPath: outputPath:
description: "Output path of the binary" description: "Output path of the binary"
default: "./bootstrapper" default: "./build/bootstrapper"
required: true required: true
# Linux runner only (Docker required) # Linux runner only (Docker required)
@ -13,10 +13,16 @@ runs:
steps: steps:
- name: Build the bootstrapper - name: Build the bootstrapper
shell: bash shell: bash
env:
OUTPUT_PATH: ${{ inputs.outputPath }}
run: | run: |
echo "::group::Build the bootstrapper" echo "::group::Build the bootstrapper"
mkdir -p build && cd build mkdir -p "$(dirname "${OUTPUT_PATH}")"
cmake -DBAZEL:STRING=bazelisk .. label=//bootstrapper/cmd/bootstrapper:bootstrapper_linux_amd64
make bootstrapper bazel build "${label}"
mv -n bootstrapper "${{ inputs.outputPath }}" repository_root=$(git rev-parse --show-toplevel)
out_rel=$(bazel cquery --output=files "${label}")
out_loc="$(realpath "${repository_root}/${out_rel}")"
cp "${out_loc}" "${OUTPUT_PATH}"
chmod +w "${OUTPUT_PATH}"
echo "::endgroup::" echo "::endgroup::"

View File

@ -10,15 +10,28 @@ inputs:
description: "Build CLI for this architecture. [amd64, arm64]" description: "Build CLI for this architecture. [amd64, arm64]"
required: true required: true
default: "amd64" default: "amd64"
outputPath:
description: "Output path of the binary"
default: "./build/cdbg"
required: false
runs: runs:
using: "composite" using: "composite"
steps: steps:
- name: Build cdbg - name: Build cdbg
shell: bash shell: bash
env:
GOOS: ${{ inputs.targetOS }}
GOARCH: ${{ inputs.targetArch }}
OUTPUT_PATH: ${{ inputs.outputPath }}
run: | run: |
echo "::group::Build cdbg" echo "::group::Build cdbg"
mkdir -p build && cd build mkdir -p "$(dirname "${OUTPUT_PATH}")"
cmake .. label="//debugd/cmd/cdbg:cdbg_${GOOS}_${GOARCH}"
GOOS=${{ inputs.targetOS }} GOARCH=${{ inputs.targetArch }} make cdbg bazel build "${label}"
repository_root=$(git rev-parse --show-toplevel)
out_rel=$(bazel cquery --output=files "${label}")
out_loc="$(realpath "${repository_root}/${out_rel}")"
cp "${out_loc}" "${OUTPUT_PATH}"
chmod +w "${OUTPUT_PATH}"
echo "::endgroup::" echo "::endgroup::"

View File

@ -1,6 +1,6 @@
name: Build CLI name: Build CLI
description: | description: |
Runs cmake and cli make target in build folder. Optionally, Sigstore tools Builds CLI. Optionally, Sigstore tools
are used to sign CLI when inputs are provided. A draft release is published are used to sign CLI when inputs are provided. A draft release is published
when run on v* tag. when run on v* tag.
inputs: inputs:
@ -28,6 +28,9 @@ inputs:
description: "Password for Cosign private key" description: "Password for Cosign private key"
required: false required: false
default: "" default: ""
outputPath:
description: "Output path of the binary"
required: false
runs: runs:
using: "composite" using: "composite"
steps: steps:
@ -39,20 +42,28 @@ runs:
- name: Build CLI - name: Build CLI
shell: bash shell: bash
env:
GOOS: ${{ inputs.targetOS }}
GOARCH: ${{ inputs.targetArch }}
OUTPUT_PATH: ${{ inputs.outputPath || format('./build/constellation-{0}-{1}', inputs.targetOS, inputs.targetArch) }}
run: | run: |
echo "::group::Build CLI" echo "::group::Build CLI"
mkdir -p build mkdir -p "$(dirname "${OUTPUT_PATH}")"
cd build
if [ ${{ inputs.enterpriseCLI }} == 'true' ] if [ ${{ inputs.enterpriseCLI }} == 'true' ]
then then
cmake -DBAZEL:STRING=bazelisk -DCLI_BUILD_TAGS:STRING=enterprise .. cli_variant=enterprise
else else
cmake -DBAZEL:STRING=bazelisk .. cli_variant=oss
fi fi
GOOS=${{ inputs.targetOS }} GOARCH=${{ inputs.targetArch }} make cli label="//cli:cli_${cli_variant}_${GOOS}_${GOARCH}"
cp constellation constellation-${{ inputs.targetOS }}-${{ inputs.targetArch }} bazel build "${label}"
echo "$(pwd)" >> $GITHUB_PATH repository_root=$(git rev-parse --show-toplevel)
export PATH="$PATH:$(pwd)" out_rel=$(bazel cquery --output=files "${label}")
out_loc="$(realpath "${repository_root}/${out_rel}")"
cp "${out_loc}" "${OUTPUT_PATH}"
chmod +w "${OUTPUT_PATH}"
echo "$(dirname "${OUTPUT_PATH}")" >> $GITHUB_PATH
export PATH="$PATH:$(dirname "${OUTPUT_PATH}")"
echo "::endgroup::" echo "::endgroup::"
# TODO: Replace with https://github.com/sigstore/sigstore-installer/tree/initial # TODO: Replace with https://github.com/sigstore/sigstore-installer/tree/initial
@ -80,15 +91,15 @@ runs:
COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }} COSIGN_PUBLIC_KEY: ${{ inputs.cosignPublicKey }}
COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }} COSIGN_PRIVATE_KEY: ${{ inputs.cosignPrivateKey }}
COSIGN_PASSWORD: ${{ inputs.cosignPassword }} COSIGN_PASSWORD: ${{ inputs.cosignPassword }}
OUTPUT_PATH: ${{ inputs.outputPath || format('./build/constellation-{0}-{1}', inputs.targetOS, inputs.targetArch) }}
run: | run: |
SIGN_TARGET=constellation-${{ inputs.targetOS }}-${{ inputs.targetArch }}
echo "$COSIGN_PUBLIC_KEY" > cosign.pub echo "$COSIGN_PUBLIC_KEY" > cosign.pub
# Enabling experimental mode also publishes signature to Rekor # Enabling experimental mode also publishes signature to Rekor
COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY ${SIGN_TARGET} > ${SIGN_TARGET}.sig COSIGN_EXPERIMENTAL=1 cosign sign-blob --key env://COSIGN_PRIVATE_KEY "${OUTPUT_PATH}" > "${OUTPUT_PATH}.sig"
# Verify - As documentation & check # Verify - As documentation & check
# Local Signature (input: artifact, key, signature) # Local Signature (input: artifact, key, signature)
cosign verify-blob --key cosign.pub --signature ${SIGN_TARGET}.sig ${SIGN_TARGET} cosign verify-blob --key cosign.pub --signature "${OUTPUT_PATH}.sig" "${OUTPUT_PATH}"
# Transparency Log Signature (input: artifact, key) # Transparency Log Signature (input: artifact, key)
uuid=$(rekor-cli search --artifact ${SIGN_TARGET} | tail -n 1) uuid=$(rekor-cli search --artifact "${OUTPUT_PATH}" | tail -n 1)
sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.HashedRekordObj.signature.content) sig=$(rekor-cli get --uuid=$uuid --format=json | jq -r .Body.HashedRekordObj.signature.content)
cosign verify-blob --key cosign.pub --signature <(echo $sig) ${SIGN_TARGET} cosign verify-blob --key cosign.pub --signature <(echo $sig) "${OUTPUT_PATH}"

View File

@ -4,7 +4,7 @@ description: Build the Constellation debugd binary
inputs: inputs:
outputPath: outputPath:
description: "Output path of the binary" description: "Output path of the binary"
default: "./debugd" default: "./build/debugd"
required: true required: true
# Linux runner only (homedir trick does not work on macOS, required for private runner) # Linux runner only (homedir trick does not work on macOS, required for private runner)
@ -13,14 +13,16 @@ runs:
steps: steps:
- name: Build debugd - name: Build debugd
shell: bash shell: bash
env:
OUTPUT_PATH: ${{ inputs.outputPath }}
run: | run: |
echo "::group::Build debugd" echo "::group::Build debugd"
homedir="$(getent passwd $(id -u) | cut -d ":" -f 6)" mkdir -p "$(dirname "${OUTPUT_PATH}")"
mkdir -p build && cd build label=//debugd/cmd/debugd:debugd_linux_amd64
cmake -DBAZEL:STRING=bazelisk .. bazel build "${label}"
export GOCACHE=${homedir}/.cache/go-build repository_root=$(git rev-parse --show-toplevel)
export GOPATH=${homedir}/go out_rel=$(bazel cquery --output=files "${label}")
export GOMODCACHE=${homedir}/.cache/go-mod out_loc="$(realpath "${repository_root}/${out_rel}")"
make debugd cp "${out_loc}" "${OUTPUT_PATH}"
mv -n debugd "${{ inputs.outputPath }}" chmod +w "${OUTPUT_PATH}"
echo "::endgroup::" echo "::endgroup::"

View File

@ -4,7 +4,7 @@ description: Build the Constellation disk-mapper binary
inputs: inputs:
outputPath: outputPath:
description: "Output path of the binary" description: "Output path of the binary"
default: "./disk-mapper" default: "./build/disk-mapper"
required: true required: true
# Linux runner only (Docker required) # Linux runner only (Docker required)
@ -13,10 +13,16 @@ runs:
steps: steps:
- name: Build the disk-mapper - name: Build the disk-mapper
shell: bash shell: bash
env:
OUTPUT_PATH: ${{ inputs.outputPath }}
run: | run: |
echo "::group::Build the disk-mapper" echo "::group::Build the disk-mapper"
mkdir -p build && cd build mkdir -p "$(dirname "${OUTPUT_PATH}")"
cmake -DBAZEL:STRING=bazelisk .. label="//disk-mapper/cmd:disk-mapper_linux_amd64"
make disk-mapper bazel build "${label}"
mv -n disk-mapper "${{ inputs.outputPath }}" repository_root=$(git rev-parse --show-toplevel)
out_rel=$(bazel cquery --output=files "${label}")
out_loc="$(realpath "${repository_root}/${out_rel}")"
cp "${out_loc}" "${OUTPUT_PATH}"
chmod +w "${OUTPUT_PATH}"
echo "::endgroup::" echo "::endgroup::"

View File

@ -4,7 +4,7 @@ description: Build the Constellation measurement-reader binary
inputs: inputs:
outputPath: outputPath:
description: "Output path of the binary" description: "Output path of the binary"
default: "./measurement-reader" default: "./build/measurement-reader"
required: true required: true
# Linux runner only (Docker required) # Linux runner only (Docker required)
@ -13,10 +13,16 @@ runs:
steps: steps:
- name: Build the measurement-reader - name: Build the measurement-reader
shell: bash shell: bash
env:
OUTPUT_PATH: ${{ inputs.outputPath }}
run: | run: |
echo "::group::Build the measurement-reader" echo "::group::Build the measurement-reader"
mkdir -p build && cd build mkdir -p "$(dirname "${OUTPUT_PATH}")"
cmake .. label="//measurement-reader/cmd:measurement-reader_linux_amd64"
make measurement-reader bazel build "${label}"
mv -n measurement-reader "${{ inputs.outputPath }}" repository_root=$(git rev-parse --show-toplevel)
out_rel=$(bazel cquery --output=files "${label}")
out_loc="$(realpath "${repository_root}/${out_rel}")"
cp "${out_loc}" "${OUTPUT_PATH}"
chmod +w "${OUTPUT_PATH}"
echo "::endgroup::" echo "::endgroup::"

View File

@ -4,7 +4,7 @@ description: Build the Constellation upgrade-agent binary
inputs: inputs:
outputPath: outputPath:
description: "Output path of the binary" description: "Output path of the binary"
default: "./upgrade-agent" default: "./build/upgrade-agent"
required: true required: true
# Linux runner only (Docker required) # Linux runner only (Docker required)
@ -13,10 +13,16 @@ runs:
steps: steps:
- name: Build the upgrade-agent - name: Build the upgrade-agent
shell: bash shell: bash
env:
OUTPUT_PATH: ${{ inputs.outputPath }}
run: | run: |
echo "::group::Build the upgrade-agent" echo "::group::Build the upgrade-agent"
mkdir -p build && cd build mkdir -p "$(dirname "${OUTPUT_PATH}")"
cmake -DBAZEL:STRING=bazelisk .. label="//upgrade-agent/cmd:upgrade_agent_linux_amd64"
make upgrade-agent bazel build "${label}"
mv -n upgrade-agent "${{ inputs.outputPath }}" repository_root=$(git rev-parse --show-toplevel)
out_rel=$(bazel cquery --output=files "${label}")
out_loc="$(realpath "${repository_root}/${out_rel}")"
cp "${out_loc}" "${OUTPUT_PATH}"
chmod +w "${OUTPUT_PATH}"
echo "::endgroup::" echo "::endgroup::"

View File

@ -11,6 +11,9 @@ inputs:
azureTenantID: azureTenantID:
description: "Azure tenant to use for login with OIDC" description: "Azure tenant to use for login with OIDC"
required: true required: true
buildBuddyApiKey:
description: "BuildBuddy API key for caching Bazel artifacts"
required: true
runs: runs:
using: "composite" using: "composite"
@ -25,10 +28,17 @@ runs:
with: with:
go-version: "1.20.2" go-version: "1.20.2"
- name: Setup bazel
uses: ./.github/actions/setup_bazel
with:
useCache: "true"
buildBuddyApiKey: ${{ inputs.buildBuddyApiKey }}
- name: Build Constellation CLI - name: Build Constellation CLI
uses: ./.github/actions/build_cli uses: ./.github/actions/build_cli
with: with:
enterpriseCLI: true enterpriseCLI: true
outputPath: build/constellation
- name: MiniConstellation E2E - name: MiniConstellation E2E
shell: bash shell: bash

View File

@ -71,6 +71,9 @@ inputs:
sonobuoyTestSuiteCmd: sonobuoyTestSuiteCmd:
description: "The sonobuoy test suite to run." description: "The sonobuoy test suite to run."
required: false required: false
buildBuddyApiKey:
description: "BuildBuddy API key for caching Bazel artifacts"
required: true
outputs: outputs:
kubeconfig: kubeconfig:
@ -104,12 +107,19 @@ runs:
echo "hostOS=$(go env GOOS)" >> $GITHUB_OUTPUT echo "hostOS=$(go env GOOS)" >> $GITHUB_OUTPUT
echo "hostArch=$(go env GOARCH)" >> $GITHUB_OUTPUT echo "hostArch=$(go env GOARCH)" >> $GITHUB_OUTPUT
- name: Setup bazel
uses: ./.github/actions/setup_bazel
with:
useCache: "true"
buildBuddyApiKey: ${{ inputs.buildBuddyApiKey }}
- name: Build CLI - name: Build CLI
uses: ./.github/actions/build_cli uses: ./.github/actions/build_cli
with: with:
targetOS: ${{ steps.determine-build-target.outputs.hostOS }} targetOS: ${{ steps.determine-build-target.outputs.hostOS }}
targetArch: ${{ steps.determine-build-target.outputs.hostArch }} targetArch: ${{ steps.determine-build-target.outputs.hostArch }}
enterpriseCLI: ${{ inputs.keepMeasurements }} enterpriseCLI: ${{ inputs.keepMeasurements }}
outputPath: "build/constellation"
- name: Build the bootstrapper - name: Build the bootstrapper
id: build-bootstrapper id: build-bootstrapper

55
.github/actions/setup_bazel/action.yml vendored Normal file
View File

@ -0,0 +1,55 @@
name: Setup bazel
description: Setup Bazel for CI builds and tests
inputs:
useCache:
description: "Cache Bazel artifacts. Use 'true' to enable with rw, 'readonly' to download, and 'false' to disable."
default: "false"
required: true
buildBuddyApiKey:
description: "BuildBuddy API key for caching Bazel artifacts"
required: false
runs:
using: "composite"
steps:
- name: Check inputs
shell: bash
run: |
echo "::group::Check inputs"
if [[ "${{ inputs.useCache }}" != "true" && "${{ inputs.useCache }}" != "readonly" && "${{ inputs.useCache }}" != "false" ]]; then
echo "Invalid value for 'useCache' input: '${{ inputs.useCache }}'. Must be 'true', 'readonly', or 'false'."
exit 1
fi
if [[ "${{ inputs.useCache }}" == "true" || "${{ inputs.useCache }}" == "readonly" ]] && [[ -z "${{ inputs.buildBuddyApiKey }}" ]]; then
echo "BuildBuddy API key is required when cache is enabled."
exit 1
fi
echo "::endgroup::"
- name: Configure Bazel
shell: bash
if: inputs.useCache == 'true' || inputs.useCache == 'readonly'
env:
BUILDBUDDY_ORG_API_KEY: ${{ inputs.buildBuddyApiKey }}
run: |
echo "::group::Configure Bazel"
cat <<EOF >> ~/.bazelrc
build --bes_results_url=https://app.buildbuddy.io/invocation/
build --bes_backend=grpcs://remote.buildbuddy.io
build --remote_cache=grpcs://remote.buildbuddy.io
build --remote_timeout=3600
build --experimental_remote_build_event_upload=minimal
build --experimental_remote_cache_compression
build --remote_header=x-buildbuddy-api-key=${BUILDBUDDY_ORG_API_KEY}
EOF
echo "::endgroup::"
- name: Configure Bazel (readonly)
shell: bash
if: inputs.useCache == 'readonly'
run: |
echo "::group::Configure Bazel (readonly)"
echo "build --remote_upload_local_results=false" >> ~/.bazelrc
echo "::endgroup::"
- name: Check bazel version
shell: bash
run: bazel version

View File

@ -26,6 +26,12 @@ jobs:
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Setup bazel
uses: ./.github/actions/setup_bazel
with:
useCache: "true"
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
- name: Build the bootstrapper - name: Build the bootstrapper
uses: ./.github/actions/build_bootstrapper uses: ./.github/actions/build_bootstrapper
@ -37,6 +43,12 @@ jobs:
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Setup bazel
uses: ./.github/actions/setup_bazel
with:
useCache: "true"
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
- name: Build debugd - name: Build debugd
uses: ./.github/actions/build_debugd uses: ./.github/actions/build_debugd
@ -48,17 +60,25 @@ jobs:
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Setup bazel
uses: ./.github/actions/setup_bazel
with:
useCache: "true"
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
- name: Build cdbg (Linux, amd64) - name: Build cdbg (Linux, amd64)
uses: ./.github/actions/build_cdbg uses: ./.github/actions/build_cdbg
with: with:
targetOS: "linux" targetOS: "linux"
targetArch: "amd64" targetArch: "amd64"
outputPath: ./build/cdbg_linux_amd64
- name: Build cdbg (Linux, arm64) - name: Build cdbg (Linux, arm64)
uses: ./.github/actions/build_cdbg uses: ./.github/actions/build_cdbg
with: with:
targetOS: "linux" targetOS: "linux"
targetArch: "arm64" targetArch: "arm64"
outputPath: ./build/cdbg_linux_arm64
build-cdbg-macos: build-cdbg-macos:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
@ -68,17 +88,25 @@ jobs:
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Setup bazel
uses: ./.github/actions/setup_bazel
with:
useCache: "true"
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
- name: Build cdbg (macOS, amd64) - name: Build cdbg (macOS, amd64)
uses: ./.github/actions/build_cdbg uses: ./.github/actions/build_cdbg
with: with:
targetOS: "darwin" targetOS: "darwin"
targetArch: "amd64" targetArch: "amd64"
outputPath: ./build/cdbg_darwin_amd64
- name: Build cdbg (macOS, arm64) - name: Build cdbg (macOS, arm64)
uses: ./.github/actions/build_cdbg uses: ./.github/actions/build_cdbg
with: with:
targetOS: "darwin" targetOS: "darwin"
targetArch: "arm64" targetArch: "arm64"
outputPath: ./build/cdbg_darwin_arm64
build-disk-mapper: build-disk-mapper:
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
@ -88,6 +116,12 @@ jobs:
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Setup bazel
uses: ./.github/actions/setup_bazel
with:
useCache: "true"
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
- name: Build disk-mapper - name: Build disk-mapper
uses: ./.github/actions/build_disk_mapper uses: ./.github/actions/build_disk_mapper
@ -99,6 +133,12 @@ jobs:
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Setup bazel
uses: ./.github/actions/setup_bazel
with:
useCache: "true"
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
- name: Build measurement-reader - name: Build measurement-reader
uses: ./.github/actions/build_measurement_reader uses: ./.github/actions/build_measurement_reader
@ -110,6 +150,12 @@ jobs:
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Setup bazel
uses: ./.github/actions/setup_bazel
with:
useCache: "true"
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
- name: Build CLI (Linux, amd64) - name: Build CLI (Linux, amd64)
uses: ./.github/actions/build_cli uses: ./.github/actions/build_cli
with: with:
@ -130,6 +176,12 @@ jobs:
with: with:
ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }} ref: ${{ !github.event.pull_request.head.repo.fork && github.head_ref || '' }}
- name: Setup bazel
uses: ./.github/actions/setup_bazel
with:
useCache: "true"
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
- name: Build CLI (macOS, amd64) - name: Build CLI (macOS, amd64)
uses: ./.github/actions/build_cli uses: ./.github/actions/build_cli
with: with:

View File

@ -68,6 +68,11 @@ jobs:
go-version: "1.20.2" go-version: "1.20.2"
cache: true cache: true
- name: Setup bazel
uses: ./.github/actions/setup_bazel
with:
useCache: "false"
- name: Build bootstrapper - name: Build bootstrapper
if: inputs.stream != 'debug' if: inputs.stream != 'debug'
uses: ./.github/actions/build_bootstrapper uses: ./.github/actions/build_bootstrapper

View File

@ -41,3 +41,4 @@ jobs:
azureClientID: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }} azureClientID: ${{ secrets.AZURE_E2E_MINI_CLIENT_ID }}
azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }} azureSubscriptionID: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
azureTenantID: ${{ secrets.AZURE_TENANT_ID }} azureTenantID: ${{ secrets.AZURE_TENANT_ID }}
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}

View File

@ -96,6 +96,7 @@ jobs:
gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com" gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com"
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
test: "sonobuoy full" test: "sonobuoy full"
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
- name: Always terminate cluster - name: Always terminate cluster
if: always() if: always()

View File

@ -258,6 +258,7 @@ jobs:
azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }} azureResourceGroup: ${{ steps.az_resource_group_gen.outputs.res_group_name }}
osImage: ${{ needs.find-latest-image.outputs.image }} osImage: ${{ needs.find-latest-image.outputs.image }}
isDebugImage: ${{ needs.find-latest-image.outputs.isDebugImage }} isDebugImage: ${{ needs.find-latest-image.outputs.isDebugImage }}
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
- name: Always terminate cluster - name: Always terminate cluster
if: always() if: always()

View File

@ -148,6 +148,7 @@ jobs:
gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com" gcp_service_account: "constellation-e2e@constellation-331613.iam.gserviceaccount.com"
gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }} gcpClusterServiceAccountKey: ${{ secrets.GCP_CLUSTER_SERVICE_ACCOUNT }}
test: ${{ matrix.test }} test: ${{ matrix.test }}
buildBuddyApiKey: ${{ secrets.BUILDBUDDY_ORG_API_KEY }}
- name: Always terminate cluster - name: Always terminate cluster
if: always() if: always()

View File

@ -29,6 +29,11 @@ jobs:
with: with:
ref: ${{ inputs.ref || github.head_ref }} ref: ${{ inputs.ref || github.head_ref }}
- name: Setup bazel
uses: ./.github/actions/setup_bazel
with:
useCache: "false"
- name: Build CLI - name: Build CLI
uses: ./.github/actions/build_cli uses: ./.github/actions/build_cli
with: with:
@ -107,6 +112,11 @@ jobs:
- name: Download Syft & Grype - name: Download Syft & Grype
uses: ./.github/actions/install_syft_grype uses: ./.github/actions/install_syft_grype
- name: Setup bazel
uses: ./.github/actions/setup_bazel
with:
useCache: "false"
# Build one CLI since Syft's go-module catalog will default to binary parsing. # Build one CLI since Syft's go-module catalog will default to binary parsing.
# Binary parsing has the advantage that it will not include other dependencies from our repo not included in the CLI. # Binary parsing has the advantage that it will not include other dependencies from our repo not included in the CLI.
# This seems to work fine for one OS & one arch as long as we don't have OS specific imports. # This seems to work fine for one OS & one arch as long as we don't have OS specific imports.

View File

@ -50,6 +50,17 @@ bazel build //cli:cli_oss_darwin_amd64 # cross compile CLI for mac amd64
bazel build //cli:cli_oss_darwin_arm64 # cross compile CLI for mac arm64 bazel build //cli:cli_oss_darwin_arm64 # cross compile CLI for mac arm64
``` ```
## Remote caching and execution
We use BuildBuddy for remote caching (and maybe remote execution in the future). To use it, you need to join the BuildBuddy organization and get an API key. Then, you can write it to `~/.bazelrc`:
```
build --remote_header=x-buildbuddy-api-key=<redacted>
```
To use the remote cache, build the project with `bazel build --config remote_cache //path/to:target`.
You can also copy the `remote_cache` config from `.bazelrc` to your `~/.bazelrc` and remove the `remote_cache` prefix to make it the default.
# Test # Test
You can run all integration and unitttests like this: You can run all integration and unitttests like this:

View File

@ -22,6 +22,7 @@ timestamp() {
"${REPOSITORY_ROOT}/tools/pseudo-version" -print-timestamp -timestamp-format '2006-01-02T15:04:05Z07:00' "${REPOSITORY_ROOT}/tools/pseudo-version" -print-timestamp -timestamp-format '2006-01-02T15:04:05Z07:00'
} }
echo "REPO_URL https://github.com/edgelesssys/constellation.git"
echo "STABLE_STAMP_COMMIT $(git rev-parse HEAD)" echo "STABLE_STAMP_COMMIT $(git rev-parse HEAD)"
echo "STABLE_STAMP_STATE $(git diff-index --quiet HEAD -- && echo "clean" || echo "dirty")" echo "STABLE_STAMP_STATE $(git diff-index --quiet HEAD -- && echo "clean" || echo "dirty")"
echo "STABLE_STAMP_VERSION $(pseudo_version)" echo "STABLE_STAMP_VERSION $(pseudo_version)"